When we connect two networks via VPN connection, we only allow certain traffic to pass through (In most scenarios). This is the normal security best practice. We normally use a firewall to do this.
When it comes to Azure, we may also need to connect virtual networks,
• Between Azure and on-premises networks
• Between Azure regions (using VNet-to-VNet)
• Between subscriptions
By using Azure Firewall (https://docs.microsoft.com/en-us/azure/firewall/overview), we can control the traffic between virtual networks. More info about Azure firewall also can find in one of my previous posts http://www.rebeladmin.com/2018/07/step-step-guide-azure-firewall-preview/
In this post, I am going to demonstrate how we can control the traffic between two virtual networks in two regions by using Azure Firewall. This same method can use to control traffic between Azure and on-premises or between subscriptions.
In the demo setup, I am using three virtual networks across two Azure regions.
Azure Firewall – This network is purely to host the Azure firewall and VPN gateway. The gateway in this network will use to perform VNet-to-VNet connectivity with Remote network.
Workloads – This network is the back-end network that will hold the VM workloads. Remote network and workloads network will communicate via the Azure Firewall.
Remote network – This virtual network is in UK South region. It is just to represent the “other” network. This can be your on-premises network, virtual network in the same azure subscription, or virtual network in another azure subscription.
In the above two types of connection been used between virtual networks.
• VNet-to-VNet via Azure VPN Gateways – In this method, virtual networks are connected through public internet. In the demo, we are using the same method to connect Azure firewall network and Remote network.
• VNet Peering – With VNet peering, virtual networks are connected via the Azure network backbone. In our scenarios, we are using this method to connect Azure firewall network with workloads network. If we compare this with on-premises network, it is similar to the connection between your local network and edge firewall.
For the configuration process, I will be using PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-3.8.0
Setup Azure Firewall Network
The first step of the configuration is to create a new resource group in East US.
To do that,
1. Launch PowerShell console and connect to Azure using Connect-AzAccount
2. Create a new resource group using New-AzResourceGroup -Name REBELRG1 -Location “East US”. Here REBELRG1 is RG group name and East US is the location.
3. The next step is to create a new virtual network under REBELRG1 resource group.
$fwsubn1 = New-AzVirtualNetworkSubnetConfig -Name “AzureFirewallSubnet” -AddressPrefix 10.0.0.0/24
$gwsubn1 = New-AzVirtualNetworkSubnetConfig -Name “GatewaySubnet” -AddressPrefix 10.0.1.0/24
$eusfwvnet = New-AzVirtualNetwork -Name EUSFWVnet1 -ResourceGroupName REBELRG1 -Location “East US” -AddressPrefix 10.0.0.0/16 -Subnet $fwsubn1,$gwsubn1
EUSFWVnet1‘s address space is 10.0.0.0/16. It is a class B IP address range. We have two subnets under it.
• AzureFirewallSubnet (10.0.0.0/24) – This subnet will be used by Azure Firewall. Azure firewall only can be created in a subnet with name ‘AzureFirewallSubnet‘
• GatewaySubnet (10.0.1.0/24) – This subnet is going to be used by Azure VPN Gateway. The subnet must be named as ‘GatewaySubnet‘ to support the configuration.
Setup Azure VPN Gateway in Azure Firewall network
1. The next step of the configuration is to create public IP address to use with Azure VPN gateway. To do that,
$gatewayip1 = New-AzPublicIpAddress -Name EUSFWVnet1GW1 -ResourceGroupName REBELRG1 -Location “East US” -AllocationMethod Dynamic
In the above, EUSFWVnet1GW1 is the name for the new public IP address. VPN Gateway only supports Dynamic Public IP address allocation. So, it is been set using -AllocationMethod.
2. Before we create the gateway, we need to create ip configuration.
$fwvnet1 = Get-AzVirtualNetwork -Name EUSFWVnet1 -ResourceGroupName REBELRG1
$fwgwsubnet1 = Get-AzVirtualNetworkSubnetConfig -Name “GatewaySubnet” -VirtualNetwork $eusfwvnet
$eusfwgw1ipconf1 = New-AzVirtualNetworkGatewayIpConfig -Name eusfwgw1ipconf1 -Subnet $fwgwsubnet1 -PublicIpAddress $gatewayip1
In above, New-AzVirtualNetworkGatewayIpConfig command used to create an IP configuration for gateway (using previously created gateway subnet & public IP addresses)
3. Finally, we can create the gateway using,
New-AzVirtualNetworkGateway -Name EUSFWGW1 -ResourceGroupName REBELRG1 -Location “East US” -IpConfigurations $eusfwgw1ipconf1 -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1
In the above, the new VPN gateway is called EUSFWGW1. Its SKU is set to VpnGw1.